Closed
Bug 559256
Opened 15 years ago
Closed 15 years ago
bad oom-handling in js_GrowSlots, js_AllocSlots
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: luke, Assigned: luke)
Details
(Whiteboard: [sg:critical?] fixed-in-tracemonkey)
Attachments
(1 file, 1 obsolete file)
|
1.77 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
js_GrowSlots does not check for null being returned by the cx->realloc at the end. crash-stats shows 26 crashes in js_GrowSlots in the last week, many pointing to the exact line after realloc, so its definitely hitting. Dereferencing null, so no security vulnerability.
js_AllocSlots does check for cx->malloc returning null, but returns true. The callers seem to assume true means success, so this seems wrong. This bug seems scarier, since callers may go on to assume obj->dslots is the size requested and write past the end of dslots. Maybe there is a good argument as to why this cannot be exploited but I can't see it, so I'm defaulting to security confidential.
|
||
Comment 1•15 years ago
|
||
OOM is gal's kryptonite.
/be
|
Assignee | |
Comment 2•15 years ago
|
||
Although crashstats indicates that it doesn't happen in practice (why would a sane CRT fail for a shrinking realloc?), cx->realloc is also unchecked in js_ShrinkSlots.
Attachment #438931 -
Attachment is obsolete: true
|
|
||
Comment 3•15 years ago
|
||
We have seen FreeBSD (ulp, jemalloc?) realloc fail when asked to shrink. Typical size classifying problem.
/be
|
|
Assignee | |
Comment 4•15 years ago
|
||
Ah, then my apologies to them for questioning their CRT's sanity.
|
|
Assignee | |
Updated•15 years ago
|
Attachment #438935 -
Flags: review?(gal)
|
||
Updated•15 years ago
|
Attachment #438935 -
Flags: review?(gal) → review+
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?]
|
|
Assignee | |
Comment 5•15 years ago
|
||
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
|
||
Comment 6•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Comment 7•14 years ago
|
||
Luke, did this affect 1.9.2 and if so, was it fixed there? If it was fixed or did not affect 1.9.2, is there any reason to keep this locked?
|
|
Assignee | |
Comment 8•14 years ago
|
||
js_ShrinkSlots on 1.9.2 appears not to check realloc's return value. However, on oom, it always derefs 0 so produces a safe (and extremely rare) crash. js_ShrinkSlots has a void return type on 1.9.2 so it isn't a tiny fix. Given this poor risk/reward I would elect not to fix.
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•